LockBit Ransomware Group Hacked; Operations Database Leaked
The LockBit ransomware group, one of the most active ransomware operations in recent years with thousands of attacks to its name, has suffered its own hacking and data leak incident. An unknown hacker managed to gain access to the control panel used by the group’s affiliates, defaced it with the message “Don’t do crime CRIME is BAD xoxo from Prague,” and added a download link for an SQL database.
The database contains sensitive internal operations data from December 2024 to April 2025, including a log of 75 affiliates and admins who have used the affiliate panel, including their plaintext passwords. The database also includes victim profiles, domains, estimated revenues, and 4,492 chat messages between LockBit and its victims about ransom negotiations; custom ransomware builds used by affiliates in their attacks; 59,975 Bitcoin addresses; encryption references, and a list of the group’s victims between the start of December 2024 and the end of April 2024.
The hack was identified by a threat actor with the moniker Rey, who disclosed the discovery on X on May 7, 2025. The operator of the LockBit operation, LockBitSupp, reportedly confirmed the hack to Rey, but said no company data was damaged, and ransomware source code and decryptors had not been leaked.
LockBit has been the subject of an ongoing law enforcement operation (Operation Cronos) that has severely impacted all levels of the group’s operations. Law enforcement agencies from 10 countries participated in the operation and announced in February 2024 that there had been 2 arrests, 14,000+ rogue accounts had been closed, 34 servers were taken down, the group’s technical infrastructure and data leak site had been seized, and more than 200 cryptocurrency accounts had been frozen.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Decryption keys were also obtained, allowing a free decryptor to be developed to allow past victims to finally recover their data. The operation severely damaged the group’s credibility and capabilities, and the latest hacking incident will cause further reputational damage. The leaked database also gives law enforcement and security researchers invaluable insights into the group’s operations.
It is unclear who is behind the data leak, although it appears to be the work of the same cyber actor behind a similar attack on the Everest ransomware group. In that attack, the Everest dark web data leak site was compromised and defaced with the same message, “Don’t do crime CRIME is BAD xoxo from Prague.” The attack could be the work of a hacktivist or a member of a rival ransomware group looking to destroy the credibility of the competition.
One potential culprit is the DragonForce ransomware cartel, a relatively new ransomware group that has been aggressively recruiting affiliates from other ransomware operations. The group has recently started offering its infrastructure to other ransomware-as-a-service groups under a white-label model in exchange for a cut of any ransom payments as it looks to dominate the ransomware ecosystem. DragonForce is the group behind a string of ransomware attacks on major UK retailers in recent weeks, including Marks & Spencer (M&S), Harrods, and the Co-op group.
